Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Get data from the last 2 business days

younesboumaaz
Engager
‎02-11-2021 08:26 AM

I'm setting an alert that will run everdy business day at 9AM and triggers only if the sum of a field is 0 for 2 consecutive business day.

To do that, I want to set my time range for my search to return events from the last two business days.

For example, if it is Monday, it will return data for Thursday and Friday, if it is Tuesday, it will return data for Friday and Monday.

I tried to use "earliest" and "latest" at the beginning of my search  but I can't get it to work....

Any Help would be welcome ! 🙂

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

younesboumaaz
Engager
‎02-15-2021 05:35 AM

Thank you for your response! Indeed, it would work if only date_wday was in my data... But no worries, it inspired me, and I worked on it to finally find a solution!

I've set my time range to "6 last days" : 

index=yourindex
| timechart span=1d sum(NbrHashOK) as sommehash 
| fillnull value=0 sommehash 
| eval 
Jour=strftime(_time, "%A %d %B %Y"),
day_of_week = strftime(_time,"%A"),
now=strftime(now(),"%A") , 
test=case(now="Monday" AND (day_of_week="Thursday" OR day_of_week="Friday"),"OK",
now="Tuesday" AND (day_of_week="Friday" OR day_of_week="Monday"),"OK",
now="Wednesday" AND (day_of_week="Monday" OR day_of_week="Tuesday"),"OK",
now="Thursday" AND (day_of_week="Tuesday" OR day_of_week="Wednesday"),"OK",
now="Friday" AND (day_of_week="Wednesday" OR day_of_week="Thursday"),"OK",
1=1,0) 
| where test="OK" 
| stats sum(sommehash) as test_sommehash values(Jour) as jour

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

lydiapal_splunk
Splunk Employee
Splunk Employee
‎02-13-2021 04:24 PM

Hi! 

Here's a solution that will work if your data has the default field "date_wday" extracted (see docs here). Although it is a default field (extracted automatically), you should read the docs before using this field. If this field is not available, you would need some other logic to determine the weekday for each event.

index=yourindex earliest=-4d@d latest=-0d@d date_wday IN ("monday","tuesday","wednesday","thursday","friday")
| eventstats latest(date_wday) as last_weekday
| eval previous_working_day=case(last_weekday="monday","friday",last_weekday="tuesday","monday",last_weekday="wednesday","tuesday",last_weekday="thursday","wednesday",last_weekday="friday","thursday")
| where date_wday=last_weekday OR date_wday=previous_working_day
... rest of your search...

Basically the search will look back last 4 full days (as on Monday it will have to look back for Thursday-Friday).

It will filter to only look at weekdays, determine last week day, and based on this, determine the previous week day. Then it will filter to only show those last two weekdays.

Hope this helps! 😊

Phoebe

Reply
Solved! Jump to solution
Solution

younesboumaaz
Engager
‎02-15-2021 05:35 AM

Thank you for your response! Indeed, it would work if only date_wday was in my data... But no worries, it inspired me, and I worked on it to finally find a solution!

I've set my time range to "6 last days" : 

index=yourindex
| timechart span=1d sum(NbrHashOK) as sommehash 
| fillnull value=0 sommehash 
| eval 
Jour=strftime(_time, "%A %d %B %Y"),
day_of_week = strftime(_time,"%A"),
now=strftime(now(),"%A") , 
test=case(now="Monday" AND (day_of_week="Thursday" OR day_of_week="Friday"),"OK",
now="Tuesday" AND (day_of_week="Friday" OR day_of_week="Monday"),"OK",
now="Wednesday" AND (day_of_week="Monday" OR day_of_week="Tuesday"),"OK",
now="Thursday" AND (day_of_week="Tuesday" OR day_of_week="Wednesday"),"OK",
now="Friday" AND (day_of_week="Wednesday" OR day_of_week="Thursday"),"OK",
1=1,0) 
| where test="OK" 
| stats sum(sommehash) as test_sommehash values(Jour) as jour

 

0 Karma
Reply
Solved! Jump to solution

lydiapal_splunk
Splunk Employee
Splunk Employee
‎02-13-2021 04:25 PM

Also to note that there must be events on the "last working day" for this search to work.

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...